Problem:
NetBackup IT Analytics uses phantomJS for server-side chart exporting, which is used in the export report feature. phantomJS v2.1.1 has one reported vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2019-17221).
Error Message:
N/A
Cause:
phantomJS through v2.1.1 has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. The vulnerability exists in the page.open() function of the webpage module, which loads a specified URL and calls a given callback. An attacker can supply a specially crafted HTML file, as user input, that allows reading arbitrary files on the filesystem. For example, if page.render() is the function callback, this generates a PDF or an image of the targeted file
Solution:
Veritas does not believe this vulnerability is exploitable in NetBackup IT Analytics because of the way phantomJS is used in the product for the following reasons:
- phantomJS is only accessible on localhost (127.0.0.1) of the NetBackup IT Analytics server. The application does not expose it to the outside world.
- NetBackup IT Analytics uses phantomJS to start the http server using its own javascript file (highcharts-convert.js) which expects only certain parameters in the http request. This means that the attacker cannot run any arbitrary javascript file on phantomJS. Everything will be received by highcharts-convert.js and it will throw an error if invalid arguments are passed to the server. This is how the command is constructed while running phantomjs:
<install_path>/aptare/phantomjs/bin/phantomjs <install_path>/aptare/portal/scripts/highcharts/highcharts-convert.js -host 127.0.0.1 -port 7777
In the above command, phantomJS is not accessible on a given host and port. phantomJS is used to start the server and then the server listens for export requests. highcharts-convert.js uses page.open method only to open “about:blank” page and then generates images using highchart and given parameters in HTTP request.
While Veritas does not believe this vulnerability is exploitable in NetBackup IT Analytics, if there is a need to remove phantomJS from the IT Analytics Portal server,the below steps can be followed and by doing so charts will not be available in the exported report:
Windows
- Stop APTARE Portal Tomcat service through the service manager.
- Delete C:\opt\aptare\phantomjs folder.
- Start APTARE Portal Tomcat service through the service manager.
Linux
1. Stop Portal Service.
# <install_path>/aptare/bin/tomcat-portal stop
e.g.: # /opt/aptare/bin/tomcat-portal stop
2. Remove phantomJS folder.
# rm -rf <install_path>/aptare/phantomjs
e.g.: # rm -rf /opt/aptare/phantomjs
2. Start Portal Service.
# <install_path>/aptare/bin/tomcat-portal start
e.g.: # /opt/aptare/bin/tomcat-portal start
Ce contenu était-il utile ?
Contenu traduit
Le présent document est une traduction d'un document en anglais qui peut avoir été effectuée entièrement par traduction automatique. Des mises à jour ont pu avoir été apportées à la version originale en anglais après la réalisation de cette traduction, c'est pourquoi il est possible que ces mises à jour n'apparaissent pas dans le présent document. Symantec ne garantit ni l'exactitude, ni l'exhaustivité de la présente traduction. Pour obtenir des informations plus récentes, vous pouvez vous référer à la version anglaise d'origine de cet article de la base de données.